05-07-2019 02:34 PM
Hi community
Today Global Protect Version 5.0.2 was released. The way to this version was a long one. I had 10 open cases with different issues that I reported for Version 5.0.0 and 5.0.1. Most of them are fixed in 5.0.2 so this version - from what I was able to test so far - could be the best for the past years as also issues from earlier versions than 5 are now fixed. And in addition to the ones that my company reported there were even more issues from other ones and also fixed in 5.0.2.
Anyway what I intend to do with this topic is a collection of working deployments and also putting together a list with still open problems in Global Protect 5.0.2. My hope is that Global Protect- with the help of the community - will get even better and have less issues / bugs.
So I ask you to write your working configurations and also the open issues (including case numbers if possible so others can reference these numbers if they also open cases) - only related to GP 5.0.2.
Let's see if something helpful will be created in this topic 😉
Regards,
Remo
05-07-2019 02:35 PM - edited 06-07-2019 03:19 PM
Open issues
| # | PA Bug ID | Description | Steps to reproduce | Case number(s) | Fixed in Version |
| 1 | - | Two authentications sent from GP Agent to the firewall (in case of using MFA with SMS this means two SMS are sent to the user) | Not (yet) available | 01096611 | - |
| 2 | - | In rare situations GP detects a Captive Portal dven if there isn't one. If you have configured MFA (with RADIUS) and you are also enforcing GP this meant if the user cancels the MFA he has access to the network/internet without a VPN connection | Not (yet) available | 01146221 | - |
| 3 | - | After resuming from sleep mode Global Protect gets stuck with Captive Portal detection (in a network without a captive portal) and is not able to connect without a manual reconnect. | Not (yet) available | - | - |
| 4 | - | After resuming from standby it took about about 30 seconds (after connection to external network was established) until global protect continued with establishing a connection. Prior to standby the computer was connected to the same external network and GP was connected. | Not (yet) available | 01146236 | - |
| 5 | - | When nothing is entered on the OTP prompt, GP gets stuck at "still working" and only be restarting pangpa or with a reboot the issue can be resolved. | Simply klick OK on the OTP prompt without entering anything | 01147011 01147324 | 5.0.3 |
05-07-2019 10:49 PM
I have to agree that 5.0.2 is much better. We deployed GP about 8 months ago from 4.1.3 and have non-stop issues and experience for the user has been horrible. We had also identified bugs in each of the versions also.
We still need to test the client when user is connecting from hotel, cafe wifi where there is captive portal involved.
Our Configuration is we are doing prelogon with always on setup. At the portal level we do LDAP with certificate and Gateway level OTP (Microsoft MFA (similar to duo cloud) ) with certificate. We are not doing split tunnel at this time and have enforce set to yes. We have enabled SSO.
What is your current configuraiton? What are the issues you are seeing with 5.0.2 that are outstanding for you?
Curious if you or someone else has come across this issue.. seeing this 5.0.2 in the logs i think seen it in previous version but have not been able to re-produce and is not something that happens often
When i took my machine out sleep connected to my home wifi seeing the below message during network discovery. Disconnected my wifi and then reconnected after which i was able to connect
(T14860) 05/07/19 23:06:25:349 Debug(1843): DnsQuery returns 1460
(T15604) 05/07/19 23:06:27:203 Debug(3905): CPD, reset cp detection history
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (captive.apple.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=0, iRet=-1, lastError=0
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (clients3.google.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=1, iRet=-1, lastError=-1
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (www.msftconnecttest.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=2, iRet=-1, lastError=-1
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Debug(4101): CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(T15604) 05/07/19 23:06:27:203 Debug(3993): CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T14860) 05/07/19 23:06:28:351 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:28:351 Debug(1869): Already takes 3 seconds for all dns queries.
(T14860) 05/07/19 23:06:28:351 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:31:362 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:31:362 Debug(1869): Already takes 6 seconds for all dns queries.
(T14860) 05/07/19 23:06:31:362 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:34:363 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:34:363 Debug(1869): Already takes 9 seconds for all dns queries.
(T14860) 05/07/19 23:06:34:363 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:37:366 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:37:366 Debug(1869): Already takes 12 seconds for all dns queries.
05-08-2019 12:08 AM
Prior to entering sleep mode, where was your machine connected? in the internal/corporate network or were you already connected to your home wifi or another network?
05-08-2019 12:26 AM - edited 05-08-2019 12:28 AM
I will test the following configurations:
"Portal Client Config" {
hip-collection {
max-wait-time 20;
collect-hip-data yes;
}
gateways {
external {
list {
GATEWAY {
fqdn GATEWAY;
priority-rule {
Any {
priority 1;
}
}
manual no;
}
}
cutoff-time 5;
}
}
authentication-override {
generate-cookie no;
}
source-user any;
os any;
agent-ui {
max-agent-user-overrides 0;
agent-user-override-timeout 0;
}
internal-host-detection {
ip-address INTERNAL-IP;
hostname INTERNAL-FQDN;
}
gp-app-config {
config {
connect-method {
value pre-logon;
}
refresh-config-interval {
value 1;
}
agent-user-override {
value allowed;
}
client-upgrade {
value disabled;
}
use-sso {
value yes;
}
logout-remove-sso {
value yes;
}
krb-auth-fail-fallback {
value yes;
}
retry-tunnel {
value 1;
}
retry-timeout {
value 1;
}
enforce-globalprotect {
value yes;
}
captive-portal-exception-timeout {
value 3600;
}
traffic-blocking-notification-delay {
value 5;
}
display-traffic-blocking-notification-msg {
value no;
}
traffic-blocking-notification-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first con
nect to GlobalProtect.</p></div>';
}
allow-traffic-blocking-notification-dismissal {
value yes;
}
display-captive-portal-detection-msg {
value yes;
}
captive-portal-detection-msg {
value '<div style="font-family:'Verdana';"><h1 style="color:green; margin: 0; font-size: 16px;">Loginseite erkannt / Captive Portal Detected</h1><p style="margin: 0; font-size: 14px; line-height: 1.2em;">Bitte klicken Sie auf den
Link, um sich anzumelden und Zugriff auf das Netzwerk zu erhalten: <a href="http://CAPTIVEPORTALREDIRECT">Klicken Sie hier</a><br/>Please click the link to login and to get access to the network: <a href="http://CAPTIVEPORTALREDIRECT">Click here</a></p></div>';
}
captive-portal-notification-delay {
value 5;
}
certificate-store-lookup {
value machine;
}
scep-certificate-renewal-period {
value 7;
}
retain-connection-smartcard-removal {
value yes;
}
enable-advanced-view {
value yes;
}
enable-do-not-display-this-welcome-page-again {
value yes;
}
rediscover-network {
value yes;
}
resubmit-host-info {
value yes;
}
can-change-portal {
value no;
}
can-continue-if-portal-cert-invalid {
value no;
}
show-agent-icon {
value yes;
}
user-switch-tunnel-rename-timeout {
value 0;
}
pre-logon-tunnel-rename-timeout {
value 0;
}
show-system-tray-notifications {
value no;
}
max-internal-gateway-connection-attempts {
value 0;
}
portal-timeout {
value 30;
}
connect-timeout {
value 60;
}
receive-timeout {
value 30;
}
enforce-dns {
value yes;
}
flush-dns {
value no;
}
proxy-multiple-autodetect {
value no;
}
use-proxy {
value yes;
}
wsc-autodetect {
value yes;
}
mfa-enabled {
value no;
}
mfa-listening-port {
value 4501;
}
mfa-notification-msg {
value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
ipv6-preferred {
value yes;
}
init-panel {
value no;
}
}
}
save-user-credentials 0;
portal-2fa no;
manual-only-gateway-2fa no;
internal-gateway-2fa no;
auto-discovery-external-gateway-2fa no;
mdm-enrollment-port 443;
}
"Portal Client Config" {
hip-collection {
max-wait-time 20;
collect-hip-data yes;
}
gateways {
external {
list {
GATEWAY {
fqdn GATEWAY;
priority-rule {
Any {
priority 1;
}
}
manual no;
}
}
cutoff-time 5;
}
}
authentication-override {
generate-cookie no;
}
source-user any;
os any;
agent-ui {
max-agent-user-overrides 0;
agent-user-override-timeout 0;
}
internal-host-detection {
ip-address INTERNAL-IP;
hostname INTERNAL-FQDN;
}
gp-app-config {
config {
connect-method {
value pre-logon;
}
refresh-config-interval {
value 1;
}
agent-user-override {
value disabled;
}
client-upgrade {
value disabled;
}
use-sso {
value yes;
}
logout-remove-sso {
value yes;
}
krb-auth-fail-fallback {
value yes;
}
retry-tunnel {
value 30;
}
retry-timeout {
value 5;
}
enforce-globalprotect {
value yes;
}
captive-portal-exception-timeout {
value 3600;
}
traffic-blocking-notification-delay {
value 15;
}
display-traffic-blocking-notification-msg {
value yes;
}
traffic-blocking-notification-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first con
nect to GlobalProtect.</p></div>';
}
allow-traffic-blocking-notification-dismissal {
value yes;
}
display-captive-portal-detection-msg {
value yes;
}
captive-portal-detection-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size: 15px; line-height: 1.2em;">GlobalProtect has tempo
rarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and
click Connect to try again.</p></div>';
}
certificate-store-lookup {
value machine;
}
scep-certificate-renewal-period {
value 7;
}
retain-connection-smartcard-removal {
value yes;
}
enable-advanced-view {
value yes;
}
enable-do-not-display-this-welcome-page-again {
value yes;
}
rediscover-network {
value yes;
}
resubmit-host-info {
value yes;
}
can-change-portal {
value no;
}
can-continue-if-portal-cert-invalid {
value no;
}
show-agent-icon {
value yes;
}
user-switch-tunnel-rename-timeout {
value 0;
}
pre-logon-tunnel-rename-timeout {
value -1;
}
show-system-tray-notifications {
value no;
}
max-internal-gateway-connection-attempts {
value 0;
}
portal-timeout {
value 5;
}
connect-timeout {
value 5;
}
receive-timeout {
value 30;
}
enforce-dns {
value yes;
}
flush-dns {
value no;
}
proxy-multiple-autodetect {
value no;
}
wsc-autodetect {
value yes;
}
mfa-enabled {
value no;
}
mfa-listening-port {
value 4501;
}
mfa-notification-msg {
value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
}
ipv6-preferred {
value no;
}
}
}
save-user-credentials 0;
portal-2fa no;
manual-only-gateway-2fa no;
internal-gateway-2fa no;
auto-discovery-external-gateway-2fa no;
mdm-enrollment-port 443;
}
05-08-2019 08:25 AM
- My machine was docked - i put it sleep and then undocked it
- At home I had to connect to the WiFi as my conneciton is manual
- When connected to WiFi that is when i noticed it
I will have to to re-test and pay more close attention to what i did. I will update the post if i am able to reproduce it
05-08-2019 12:25 PM
Added two rare issues in 5.0.2 to the third post in this topic.
05-08-2019 12:35 PM
@rj_raj wrote:- My machine was docked - i put it sleep and then undocked it
- At home I had to connect to the WiFi as my conneciton is manual
- When connected to WiFi that is when i noticed it
I will have to to re-test and pay more close attention to what i did. I will update the post if i am able to reproduce it
@rj_raj I have added this issue to the open issues list. Would be great if you can add more details or even better if you are able to reproduce it.
05-09-2019 11:48 AM
I have added another low priority issue and also case numbers for the 3 issues that I have experienced so far with 5.0.2. I need to add here, the issues from me in the list I so far saw only once. Even if I tried, so far I was not able to reproduce them (which is good and bad at the same time)
05-10-2019 09:00 AM
Found an issue and able to reproduce the issue in 5.0.2. If user has MFA prompt and accidently hits OK without typing any code the client gets stuck in still working and nothing happens. Only way so far to get out that is to kill the panga process or restart the machine..
remo since you use OTP in your setup can you reproduce the issue - case number - 01147011
05-10-2019 01:17 PM
I was able to reproduce the issue. Without entering any OTP GP gets stuck at "still working" as you mentionned.
05-10-2019 01:36 PM
I have updated the third post in this topic with the open issues with the one described by you. In addition I have also created a case with a reference to yours.
Thanks!
08-09-2019 07:55 AM
I have a similar issue with GlobalProtect 5.0.3 and Duo MFA. Not sure if everyone is aware how Duo MFA works with GlobalProtect, but instead of enter in a one-time passcode, you can enter in the number "1" and Duo will send a push notification to your mobile device. Well, I entered in "1", never got the push notification(not sure why), but this caused the GlobalProtect client to get stuck at "Still Working...". I waited 25 minutes and the client never timed out, it just kept trying.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
